A trick for long passwords in Linux | Bitcointalksearch.org

Red Emerald

hero member

Activity: 742

Merit: 500

Quote from: Tarlusk on September 07, 2011, 03:16:27 PM

Quote from: Red Emerald on August 18, 2011, 12:42:57 PM

This is my favorite way of doing passwords now.

http://passphra.se/

It was inspired by an xckd comic (which was inspired by another article, I think). http://xkcd.com/936/

I would suggest using this website instead.

http://world.std.com/~reinhold/diceware.html
http://world.std.com/~reinhold/diceware.wordlist.asc

It does essentially the same thing, except that you do it yourself with a six-sided die.
That way your new password doesn't get sent over the internet in plaintext, and you don't have to trust the website that generated it.

It's javascript. The only thing sent over the internet is the giant word list. The passwords are generated client side.

Tarlusk

newbie

Activity: 5

Merit: 0

Quote from: Red Emerald on August 18, 2011, 12:42:57 PM

This is my favorite way of doing passwords now.

http://passphra.se/

It was inspired by an xckd comic (which was inspired by another article, I think). http://xkcd.com/936/

I would suggest using this website instead.

http://world.std.com/~reinhold/diceware.html
http://world.std.com/~reinhold/diceware.wordlist.asc

It does essentially the same thing, except that you do it yourself with a six-sided die.
That way your new password doesn't get sent over the internet in plaintext, and you don't have to trust the website that generated it.

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Great thoughts here guys! I especially like the idea of using the Md5 of a file only you know. Kinda like the car CD players that only unlock when you put in the correct music CD.

runeks

legendary

Activity: 980

Merit: 1008

Another way to create good-security and fairly easily remembered passwords in linux is using this command:

Code:

shuf -n --random-source=/dev/urandom /usr/share/dict/words

where is the number of dictionary words you want your password to consist of. My /usr/share/dict/words has about 98,000 words, which gives 16 bits of entropy per word. So let's say I create a password with 5 random words from this dictionary:

Code:

rune@runescomp:~$ shuf -n 5 --random-source=/dev/urandom /usr/share/dict/words
unwound
marrowing
jockey
illusion's
sacrament

I now have the password unwoundmarrowingjockeyillusion'ssacrament which has 80 bits of entropy, and isn't impossible to remember.
80 bits of entropy gives us about 10²⁴ possible combinations. Provided that passwords are stored as their MD5 hash and an attacker got hold of the MD5 hash (and he knew that he had to find five words from this particular dictionary), it'd take him about one millions years to finish, using 4 x HD 5970 graphics cards.

Of course, you can always choose fewer words, or use a dictionary that doesn't have words like "Ångström" and "prophylaxis". This could lower the entropy but make the passwords more easily rememberable. For example using six words from the Diceware wordlist, which would give you 78 bits of entropy but an easier to remember password.

Bebop

newbie

Activity: 27

Merit: 0

If people used your MD5 tecnique without *advertising* it on forums, it might be safe. If you spead the word and advertise this tecnique to the point that it becomes popular (is this not the idea of the thread?) then its a weak implementation of secuity -- and for all the effort you invested in stuffing around with the command console, you would have been better off selecting a password in the AAAAbbbb#1111 format and *not* worrying about MD5.

ffuentes

member

Activity: 70

Merit: 10

Only a curious passer-by / FirstBits: 13zsc1

Quote from: TeaL on September 04, 2011, 03:14:53 PM

Using a hash of a password as a password is great if someone is trying generic brute-forcing tactics. Where it fails (as mentioned) is against a dictionary specifically built to use the hashed values of common words etc.. If you want to use a hash as a password (which you shouldn't as you limit yourself to Hex characters), you'd be better off using the hash of a file.

For example, lets say I have a file I keep just for this purpose (keep a backup obviously), I can take a hash of this file and use it as a password without fear of someone compiling a dictionary with that in it.

Try the following using the openssl library (works on Mac OS X).

Code:

openssl md5 PATH_TO_FILE

This should return you md5 hash of the file you selected.

Additionally, md5 password hashs can be broken fairly easily. With my 2 6990s I can pull 18Ghash/s in Whitepixel (that's 18 Billion password attempts per second).

What do you recommend? Another kind of hash?

TeaL

newbie

Activity: 56

Merit: 0

Using a hash of a password as a password is great if someone is trying generic brute-forcing tactics. Where it fails (as mentioned) is against a dictionary specifically built to use the hashed values of common words etc.. If you want to use a hash as a password (which you shouldn't as you limit yourself to Hex characters), you'd be better off using the hash of a file.

For example, lets say I have a file I keep just for this purpose (keep a backup obviously), I can take a hash of this file and use it as a password without fear of someone compiling a dictionary with that in it.

Try the following using the openssl library (works on Mac OS X).

Code:

openssl md5 PATH_TO_FILE

This should return you md5 hash of the file you selected.

Additionally, md5 password hashs can be broken fairly easily. With my 2 6990s I can pull 18Ghash/s in Whitepixel (that's 18 Billion password attempts per second).

lazycodre

newbie

Activity: 25

Merit: 0

Quote from: leeloulee on August 19, 2011, 12:14:10 AM

yeh

I'll quote that just for fun!

leeloulee

member

Activity: 98

Merit: 10

yeh

fiatpirate

newbie

Activity: 12

Merit: 0

For those suggesting multiple hashes and such, I would think that a good phrase with mixed case and symbols may be easy enough and secure enough. You need supercomputers greater than are made today to crack a password constructed that way.

Just be smart, do it unexpected. Don't use a common phrase (use a derivative of it instead).

helloworld

sr. member

Activity: 266

Merit: 250

Quote from: Red Emerald on August 18, 2011, 12:42:57 PM

This is my favorite way of doing passwords now.

http://passphra.se/

It was inspired by an xckd comic (which was inspired by another article, I think). http://xkcd.com/936/

Whenever someone mentions 'password' and links to xkcd, I expect to see the $5-wrench comic.

Red Emerald

hero member

Activity: 742

Merit: 500

This is my favorite way of doing passwords now.

http://passphra.se/

It was inspired by an xckd comic (which was inspired by another article, I think). http://xkcd.com/936/

jackjack

legendary

Activity: 1176

Merit: 1280

May Bitcoin be touched by his Noodly Appendage

sha256 of a file, nothing to remember, impossible to find

wknight

legendary

Activity: 889

Merit: 1000

Bitcoin calls me an Orphan

If your looking for a great way to do passwords.. Password Haystacks is a great way to start.

This way you can use something you can remember and salt it to make it long enough to make it hard to figure out.

https://www.grc.com/haystack.htm

nmat

hero member

Activity: 602

Merit: 502

Maybe I should create my own hash function... Just in case Cool

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Quote from: sd on August 18, 2011, 03:18:47 AM

Quote from: helloworld on August 18, 2011, 02:44:29 AM

Also a brute force attacker would have to know exactly how many iterations you used... what if you put that md5 back in 2 or 3 times for a new md5?

Yes, it would be impractical to perform multiple rounds of MD5 hashing due to the computational difficulty of MD5.

Lets just check that:

function md5 {
echo -n $1 | md5sum | awk '{print $1}'
}

$ time md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 'password' )))))))))
e36b70041d8f1609aa40b9ebba4363cf

real   0m0.084s
user   0m0.004s
sys   0m0.008s

That's on a laptop with the CPU throttled down to 800Mhz and coded in bash.

It's not even that hard.
There are like 80k words in common use in English. You could just create dictionaries that contain the Md5 values in advance. so six dictionaries could cover words plus up to five sums.
But again, you now have a targeted attack. That is a different beast. You would likely be hit by an additional targeted dictionary with your birthday, dog's name ect.

This method is for the person about to choose "password" as their password.

sd

hero member

Activity: 730

Merit: 500

Quote from: helloworld on August 18, 2011, 02:44:29 AM

Also a brute force attacker would have to know exactly how many iterations you used... what if you put that md5 back in 2 or 3 times for a new md5?

Yes, it would be impractical to perform multiple rounds of MD5 hashing due to the computational difficulty of MD5.

Lets just check that:

function md5 {
echo -n $1 | md5sum | awk '{print $1}'
}

$ time md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 $(md5 'password' )))))))))
e36b70041d8f1609aa40b9ebba4363cf

real   0m0.084s
user   0m0.004s
sys   0m0.008s

That's on a laptop with the CPU throttled down to 800Mhz and coded in bash.

helloworld

sr. member

Activity: 266

Merit: 250

Quote from: RodeoX on August 16, 2011, 06:20:24 PM

Good points all around. My method assumes no one knows you are encoding a simple password. And yes, it would be better to use a non-word. Then an attacker must go the brut force route. The Md5 is long and complex enough to avoid being in the "low hanging fruit" category.

The main advantage is ease of use and relatively strong protection using an easy to remember PW. With a little creativity you can go further. Suppose I used the Md5 result string to hash it again?

Also a brute force attacker would have to know exactly how many iterations you used... what if you put that md5 back in 2 or 3 times for a new md5?

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: ffuentes on August 16, 2011, 06:20:58 PM

That trick is ok, but your easy password should not be a dictionary word. Dictionary words, specially english words are very well knowed.

c2e055acd7ea39b9762acfa672a74136

GO!
EDIT: Lol, I googled it and the first result was correct. Point taken. Wink

Quote from: captainteemo on August 16, 2011, 06:23:42 PM

Quote from: RodeoX on August 16, 2011, 06:20:24 PM

Good points all around. My method assumes no one knows you are encoding a simple password. And yes, it would be better to use a non-word. Then an attacker must go the brut force route. The Md5 is long and complex enough to avoid being in the "low hanging fruit" category.

The main advantage is ease of use and relatively strong protection using an easy to remember PW. With a little creativity you can go further. Suppose I used the Md5 result string to hash it again?

It's still lowercase az09 of the same length.

Run a SHA512 string through base64 or something, or even gzip it and use that as a completely untypable password

I suppose it depends what sort of item/object/etc you are securing. Not everything needs to be fort knox...

captainteemo

full member

Activity: 143

Merit: 101

Quote from: RodeoX on August 16, 2011, 06:20:24 PM

Good points all around. My method assumes no one knows you are encoding a simple password. And yes, it would be better to use a non-word. Then an attacker must go the brut force route. The Md5 is long and complex enough to avoid being in the "low hanging fruit" category.

The main advantage is ease of use and relatively strong protection using an easy to remember PW. With a little creativity you can go further. Suppose I used the Md5 result string to hash it again?

It's still lowercase az09 of the same length.

Run a SHA512 string through base64 or something, or even gzip it and use that as a completely untypable password

Topic: A trick for long passwords in Linux (Read 2203 times)